InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court approves data breach settlement
On June 8, the U.S. District Court for the Southern District of New York granted a plaintiffs’ motion for final approval of a class action settlement resolving claims that several retail businesses failed to establish reasonable safeguards that led to a data breach. According to the opinion, the plaintiff alleged that a syndicate accessed cardholder information and sold it on the so-called dark web. The plaintiffs also claimed that the breach caused them to spend time monitoring their accounts, safeguarding account information, and, for some plaintiffs, resolving fraudulent charges and withdrawals. The settlement provides for two different levels of payments to affected consumers. Tier 1 claimants, who must provide proof of a payment transaction during the period of the breach and confirm that they spent time monitoring account information after the breach, will receive $30. Tier 2 claimants will be reimbursed for documented out-of-pocket expenses incurred as a result of the breach, such as costs and expenses related to identity theft or fraud, late fees, and unauthorized charges and withdrawals, in an amount not to exceed $5,000. The total amount to be paid to class members is approximately $278,000.
District Court dismisses suit alleging improper inspection fees
On June 6, the U.S. District Court for the District of New Jersey granted a defendant bank’s motion to dismiss, ruling that the plaintiff’s inspection fee allegations are barred on collateral estoppel grounds. The plaintiff filed a class action suit claiming the defendant’s computer software orders property inspections after borrowers’ loans are in default and then charges borrowers for the improper inspection fees. According to the opinion, the defendant initiated foreclosure proceedings in 2012 against the plaintiff in state court after she missed payments. The parties litigated the matter for several years in state court, and in 2018, the plaintiff filed a motion for leave to add class action claims related to the defendant’s inspection fee collection system. The state court denied plaintiff’s motion, finding the proposed claims to be without merit and futile. Final judgment of foreclosure was granted to the bank. Similar proceedings involving the same class action counterclaims occurred after the defendant requested that the judgment be vacated to add an additional lien holder as a defendant. The defendant again applied for entry of final judgment, but withdrew this application allegedly in response to the Covid-19 pandemic. Ultimately the state court dismissed the foreclosure action without prejudice for lack of prosecution. The plaintiff filed an instant complaint in federal court.
The defendant argued that the plaintiff “should be collaterally estopped from bringing these claims because the New Jersey Superior Court ruled on the exact issues [plaintiff] raises here in the prior foreclosure action brought by [defendant] against [plaintiff] in state court, ultimately dismissing them with prejudice.” The plaintiff countered “that because the foreclosure action was dismissed without entry of judgment, collateral estoppel does not apply.” In agreeing with the defendant, the court stated that “the doctrine of collateral estoppel applies whenever an action is ‘sufficiently firm to be accorded conclusive effect,” adding that the state court’s orders in the foreclosure action are “sufficiently firm as to warrant conclusive effect.” According to the court, “[t]hese decisions—particularly the second dismissal with prejudice—were clearly intended to be the final adjudication of the precise issues that [plaintiff] is now attempting to relitigate in the instant action.”
District Court granted final approval of a $63 million data breach settlement
On June 7, the U.S. District Court for the District of Columbia granted final approval of a class action settlement resolving claims that a government agency and its contractor (collectively, defendants) did not detect hackers because they failed to establish reasonable safeguards that led to a data breach. According to the memorandum of law in support of the plaintiff’s motion for preliminary approval, a data breach occurred in June 2015 that compromised financial records, Social Security numbers, and other personal information of anyone who underwent a background check at the agency since 2000. The agency allegedly controlled numerous electronic systems without valid authorizations, failed to implement multi-factor authentication for accessing systems, failed to patch, segment, and continuously monitor systems, and failed to implement centralized data security protocols. According to the plaintiff’s motion, the settlement (if granted final approval) would require the U.S. government to pay $60 million of the settlement fund and the contractor to pay $3 million. The settlement agreement provides that “[e]ach valid claim will be paid at $700, except that if the actual amount of documented loss exceeds $700, the claim will be paid in that amount, up to $10,000.”
District Court: Company must face data breach claims
On June 1, the U.S. District Court for the District of Arizona ruled that a health care company must face a proposed class action related to claims that its failure to implement cybersecurity safeguards led to a data breach that compromised individuals’ personal health information. In granting in part and denying in part defendant’s motion to dismiss, the court declined to dismiss several of the plaintiffs’ claims for negligence, ruling that the second amended complaint sufficiently alleged that the defendant employed inadequate data security and that plaintiffs suffered an actual injury as a result of the data breach because the monitoring services offered by the defendant were insufficient and offered for too short of time causing certain plaintiffs to purchase additional identity protection products and/or services. However, other negligence claims were dismissed after the court determined that some of the plaintiffs failed to allege any actual damages or out-of-pocket expenses. Additionally, while the court allowed several state law claims to proceed, it dismissed claims brought under the California Consumer Protection Act due to the plaintiff’s failure to provide the requisite pre-suit notice within the 30-day time period as required by law, finding the failure could not be cured by the passage of time. Other state law claims, involving violations of the Wisconsin Deceptive Trade Practices Act and Pennsylvania Unfair Trade Practices and Consumer Protection Law, were also dismissed due to a failure to articulate cognizable losses.
District Court certifies TCPA class action against debt collector
On May 31, the U.S. District Court for the Western District of Washington granted a plaintiff’s motion for class certification in an action alleging a defendant debt collector placed unsolicited calls to borrowers’ cell phones when attempting to collect federal student loan debt. The plaintiff contended that the defendant violated the TCPA by calling her up to seven times a day without her consent using an automatic telephone dialing system (autodialer) and prerecorded calls or artificial voice calls. According to the plaintiff, in 2019, the defendant obtained her cell phone number through skip-tracing services performed by one of its vendors. The defendant allegedly had access to a call recording from a 2017 conversation between a Department of Education contractor and the plaintiff during which the plaintiff provided her phone number. The defendant, however, allegedly was not aware of the recording nor did it seek to access the file until after the plaintiff filed suit. The defendant also supposedly received a file from the contractor containing the plaintiff’s number but not until after it already acquired the number from the skip-tracing vendor. The defendant denied that it used an autodialer or made prerecorded calls or artificial voice calls. The defendant also claimed that “because it had constructive access to the recording of plaintiff’s 2017 phone conversation with [the contractor] and received the [] file with plaintiff’s number, it had plaintiff’s prior express consent to receiving calls.”
The court certified the class, ruling that the question of whether access to the files in question was sufficient to confer consent under the TCPA is “a closer legal question, but not one that overcomes predominance at this stage.” According to the court, “the issue of whether defendant can show that its right of access to [the contractor’s] files constituted prior express consent is one that is currently capable of classwide resolution. Accordingly, while the affirmative defenses defendant presses will no doubt be important to the outcome of the litigation, they presently do not undercut the central common issues in this case.”
District Court preliminarily approves $2 million debt collection settlement over garnishment issuance fees
On May 24, the U.S. District Court for the District of Oregon preliminarily approved a class action settlement resolving claims concerning a debt collection agency’s $45 garnishment “issuance fee.” According to the plaintiffs, the defendant issued garnishments to debtors’ employers and banks through its in-house attorneys to collect revenue for outstanding debts. While Oregon law allows debt collectors to charge fees as a means of compensating for the expense of hiring attorneys who issue such garnishments, the plaintiffs contended that the defendant’s “$45 fee is an abuse of the cost recovery statute because using in-house attorneys relieves defendant from ever incurring such an expense.” The plaintiffs alleged violations of the FDCPA, Oregon’s Unlawful Trade Practices Act, and Oregon’s Unlawful Debt Collection Practices Act. While the defendant denied any wrongdoing as part of the preliminarily approved settlement, it has agreed to pay $2 million to settle the claims. Class members, defined as more than 10,000 Oregonians allegedly injured by the $45 issuance fees between January 2018 and September 2019, will each receive “an amount three times greater than the actual damages caused originally by Defendant’s issuance fees.”
District Court: Emotional distress did not cause injury-in-fact
On May 10, the U.S. District Court for the Western District of New York granted a defendant’s motion for summary judgment in a FDCPA class action suit. According to the order, the defendant sent the plaintiff a letter seeking to collect $9,700. The collections letter identified the name of the original creditor and the name of the current creditor to whom the debt was owed. The plaintiff filed suit, claiming he suffered emotional distress, and alleging that the debt was not owed to the defendants, and that the letter “erroneously” claimed that the current creditor to whom the debt was owed was not the owner of the debt, in violation of the FDCPA. The court granted the defendant’s summary judgment, dismissing the claims and finding that the case “is at the summary judgment stage,” which “requires proof of injury-in-fact beyond the sufficiency of Plaintiff’s allegations of an injury.” The court further stated that the “[p]laintiff states in his responding Declaration that his stress came from not knowing how his personal information was learned by Defendant,” but that the “[p]laintiff did not seek medical attention for the emotional distress he suffered.” The court continued that “failure to seek medical treatment is material in establishing the extent of Plaintiff’s injury (in [sic] any) from the emotional distress.” The court found that the plaintiff did “not establish[] that he suffered an injury-in-fact from his emotional distress arising from the dunning letter.”
District Court dismisses privacy class action claims citing absence of jurisdiction
On May 5, the U.S. District Court for the Northern District of California granted defendants’ motions to dismiss a putative class action concerning invasion of privacy claims related to the collection of consumer data over an online shopping platform. The Canada-based e-commerce company and two of its wholly-owned subsidiaries operate an e-commerce platform that hosts merchants’ websites and facilitates and verifies customers’ payment information. According to the plaintiff, the defendants’ platform intercepts payment information and collects shoppers’ sensitive personal information through the use of cookies, including names, addresses, and credit card information. The plaintiff alleged that the defendants compile the data into individualized profiles, which is shared with merchants, and also share shoppers' data with other non-merchant third parties. Shoppers are not required to consent to any of these activities and are supposedly unaware that their sensitive information is being tracked and shared, the plaintiff stated, claiming violations of California’s Invasion of Privacy Act, Computer Data Access and Fraud Act, and Unfair Competition Law, among other things. In dismissing the action, the court concluded that the plaintiff’s privacy claims against the defendants are too general and fail to identify which defendant is responsible for the plaintiff’s alleged injuries. The court noted that it would normally permit the plaintiff to amend his complaint to address the issue, but said that in this case the court lacks both general and specific jurisdiction over any of the defendants. The court explained that the plaintiff failed to argue that any of the three entities (based either in Canada or Delaware) are subject to general jurisdiction in California. Simply stating that the platform “enables merchants to sell products online . . . does not represent an intentional act directed at California residents,” the court stated.
Defendants to pay $5.7 million for alleged data breach
On October 17, the U.S. District Court for the Northern District of Ohio granted final approval of a $5.7 million settlement in a class action against a fast-food chain (defendant) resolving allegations that it acted negligently for failing to protect customers’ data when hackers stole payment card information from more than 700 franchised restaurants. According to the order, in 2017, a data breach compromised the defendant’s customer payment data, which resulted in multiple lawsuits that were settled. In the current case, the plaintiffs sued the defendant for negligence related to insecure systems that led to the data breach. The plaintiffs alleged that the defendant’s negligence required financial institutions to spend resources to respond to the breach. Under the terms of the settlement, the defendant is required to pay under a per-card formula up to $5.73 million to resolve class member claims, which would include up to $3 million to pay class members’ claims ($1.00 per reissued card and $1.50 per card experiencing fraud within four weeks of the breach). The defendant is required to pay up to $500,000 for settlement administration, up to $30,000 for class representative service awards, and up to $2.2 million for attorneys’ fees and expenses.
District Court allows data sharing invasion of privacy claims to proceed
On May 4, the U.S. District Court for the Central District of California partially dismissed the majority of a putative class action accusing several large retailers and a data analytics company (collectively, “defendants”) of illegally sharing their consumer transaction data, allowing only an invasion of privacy claim to proceed. In 2020, plaintiffs’ claimed the retail defendants shared consumer data without authorization or consent, including “all unique identification information contained on or within a consumer’s driver’s license, government-issued ID card, or passport, e.g., the consumer’s name, date of birth, race, sex, photograph, complete street address, and zip code,” with the data analytics company who used the information to create “risk scores” that purportedly calculated a consumer’s likelihood of retail fraud or other criminal activity. The court permanently dismissed the plaintiffs’ California Consumer Privacy Act claims, finding that the state law was not in effect when some of the plaintiffs allegedly attempted returns or exchanges and that the law does not contain an express retroactivity provision. Additionally, while plaintiffs argued that the retail defendants engaged in “a pattern or practice of data sharing,” the court concluded that plaintiffs failed “to allege that they are continuing to return or exchange merchandise at these retailers such that their data is disclosed” to the data analytics company. The court also dismissed the FCRA claims, ruling that the data analytics company’s risk report is not a “consumer report” subject to the FCRA because it does not “bear on Plaintiff’s eligibility for credit.” Plaintiffs’ claims for unjust enrichment and violations of California's Unfair Competition Law were also dismissed. However, the court concluded that the plaintiffs had plausibly alleged a reasonable expectation of privacy against the defendants, pointing to “the wide discrepancy between Plaintiffs’ alleged expectations for Retail Defendants’ use of their data and its actual alleged use.”
“The court finds dismissing this claim at the pleading stage particularly inappropriate where, as is the case here, defendants are the only party privy to the true extent of the intrusion on Plaintiffs’ privacy,” the court stated. “Reading the Complaint in a light most favorable to Plaintiffs, Plaintiffs sufficiently allege that [] defendants’ intrusion into Plaintiffs’ privacy was highly offensive.”